"This week, the Socket Threat Research Team identified a malicious package, 'fezbox', published to npmjs.com, the world's largest open-source registry for JavaScript and Node.js developers. The illicit package contains hidden instructions to fetch a JPG image containing a QR code, which it can then further process to run a second-stage obfuscated payload as a part of the attack. At the time of writing, the package received at least 327 downloads, as per npmjs.com, before the registry admins took it down."
"BleepingComputer confirmed that the malicious payload primarily resides in the dist/fezbox.cjs file of the package (taking version 1.3.0 as an example). "The code itself is minified in the file. Once formatted, it becomes easier to read," explains Socket threat analyst Olivia Brown. The conditionals in the code check if the application is running in a development environment, as explained by Brown. "This is usually a stealth tactic. The threat actor does not want to risk being caught in a virtual environment or any non-production environment, so they may often add guardrails around when and how their exploit runs," states the researcher. "Otherwise, however, after 120 seconds, it parses and executes code from a QR code at the reversed string...""
A malicious npm package named 'fezbox' used QR-code steganography to retrieve and run a second-stage obfuscated payload that steals cookies and credentials. The package fetched a JPG containing a QR code from a remote server, decoded the QR content, and executed parsed code after a 120-second delay and environment checks to avoid development or VM traps. The malicious payload resided primarily in dist/fezbox.cjs. The package accrued at least 327 downloads before removal. The attack demonstrates use of 2D barcodes for covert payload delivery and represents a novel supply-chain risk to Node.js projects.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]